Skip to main content
DevinderSharma
DevinderSharma
New Member
April 25, 2024
Question

SD-WAN IPSec Main Backup tunnels with Dynamic Public IPs at Branches

  • April 25, 2024
  • 4 replies
  • 3275 views

Hi All,

 

Can I leverage SD-WAN with dynamic IP Primary and Backup (LTE) Internet circuits at branch offices to establish tunnels to two circuits (again SD-WAN) at HQ (both with have Static Public IP at this end)?  Thanks so much.

4 replies

funkylicious
SuperUser
funkylicious
SuperUser
April 25, 2024

Hi,

Yes, this can be achieved and an example is shown here.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FortiGate-SD-WAN-with-an-IPSEC-VPN/ta-p/190756?externalID=FD41297


Since the HQ has static IP addresses, you can configure it as a dialup server and the branch as a dialup client ,

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-VPN-Configuration-Between-Two-FortiGates/ta-p/197667

"jack of all trades, master of none"
    DevinderSharma
    DevinderSharmaAuthor
    New Member
    April 25, 2024

    Thank you for your prompt help. I did look at this link last night but it is not the scenario that I am looking for. The branch has two ISPs (one primary DSL and backup LTE) and both are dynamic. The diagram on the link shows single ISP at branch and it has static IP.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    April 25, 2024

    You can create a similar config for the other link, similar cu what is described in the document.

    Also, from my experience in order to avoid complex tshoot, I personally prefer to create 1:1 IPsec tunnels, meaning Branch ISP1 <> HQ ISP1 and Branch ISP2 <> HQ ISP2 .

     

    smth that I used in my lab for the Hub as a dialup server ( you can ignore de autodiscovery settings that I used for ADVPN :(

     

    config vpn ipsec phase1-interface
    edit "Overlay_P1"
    set type dynamic
    set interface "port1"
    set ike-version 2
    set peertype any
    set net-device disable
    set proposal aes128-sha256
    set add-route disable
    set localid "LAB-WAN1"
    set dpd on-idle
    set auto-discovery-sender enable
    set nattraversal disable
    set network-overlay enable
    set network-id 1
    set dpd-retryinterval 60
    next
    edit "Overlay_P2"
    set type dynamic
    set interface "port2"
    set ike-version 2
    set peertype any
    set net-device disable
    set proposal aes128-sha256
    set add-route disable
    set localid "LAB-WAN2"
    set dpd on-idle
    set auto-discovery-sender enable
    set nattraversal disable
    set network-overlay enable
    set network-id 2
    set dpd-retryinterval 60
    next
    end

    "jack of all trades, master of none"
      funkylicious
      SuperUser
      funkylicious
      SuperUser
      April 25, 2024

      and below is from one of my branches.

       

      again, please note that the PSK is missing and you can ignore the ADVPN config.

       

      config vpn ipsec phase1-interface
      edit "Overlay_P1"
      set interface "port1"
      set ike-version 2
      set peertype any
      set net-device enable
      set proposal aes128-sha256
      set add-route disable
      set localid "B1-WAN1"
      set dpd on-idle
      set auto-discovery-receiver enable
      set auto-discovery-shortcuts dependent
      set nattraversal disable
      set network-overlay enable
      set network-id 1
      set remote-gw WAN1
      next
      edit "Overlay_P2"
      set interface "port2"
      set ike-version 2
      set peertype any
      set net-device enable
      set proposal aes128-sha256
      set add-route disable
      set localid "B1-WAN2"
      set dpd on-idle
      set auto-discovery-receiver enable
      set auto-discovery-shortcuts dependent
      set nattraversal disable
      set network-overlay enable
      set network-id 2
      set remote-gw WAN2
      next
      end

      "jack of all trades, master of none"
      DevinderSharma
      DevinderSharmaAuthor
      New Member
      April 25, 2024

      Appreciate again. The requirements are bit complex. The branch side has Cellular LTE connection only to be used when primary DSL is down. So, I cannot have nailed down 2 tunnels from one-to-one circuit. I can use Main backup feature where backup tunnel will get created when monitored status of primary is down. I have to study on the ADVPN topic to see if that will make sense.  Also, tunnel from branch should be able to failover to second HQ ISP also if main ISP circuit at HQ fails. I guess I can use SDWAN feature at the HQ site and then use main-backup tunnel monitored feature at the branch site. Now need to determine what remote GW IP to use at branch to get to two ISPs based SDWAN end at HQ.

      DevinderSharma
      DevinderSharmaAuthor
      New Member
      April 25, 2024

      I think I can create two Phase 1 VPN confgs at branches to specify two separate remote GW IPs. 

      funkylicious
      SuperUser
      funkylicious
      SuperUser
      April 25, 2024

      Yes you can, and since both endpoint are FortiGates you can configure the phase2 selectors are 0.0.0.0/0 for remote and local and control everything from static routes and firewall policies.

      You can have 2 static routes for the same remote subnet on both devices, one using the ISP1 IPsec tunnel with a lower AD and the 2nd having ISP2 IPsec with a higher AD in the routing table.

      "jack of all trades, master of none"
      funkylicious
      SuperUser
      funkylicious
      SuperUser
      April 25, 2024

      Sorry, I was refering to the fact that you can create 2 separate IPsec tunnel on the brach, each with the remote ip of the HQ WAN/ISP interface.

      When the ISP1 interface will go down, the tunnel will also go down and traffic should be steered using the ISP2 interface and IPsec tunnel when that happens, assuming that you have the correct entried in the routing table.

      "jack of all trades, master of none"
      Terms & ConditionsAccessibility statement